Network access by applications in an enterprise managed device system

ABSTRACT

Disclosed are various examples for enforcing network access permissions on applications that are installed on a client device. A network whitelist or network blacklist can be deployed by a management service onto a managed client device. A management component can facilitate enforcement of the whitelist and/or blacklist to enforce network access rules on installed applications.

RELATED APPLICATION

Benefit is claimed under 35 U.S.C. 119(a)-(d) to Foreign ApplicationSerial No. 201741024105 filed in India entitled “NETWORK ACCESS BYAPPLICATIONS IN AN ENTERPRISE MANAGED DEVICE SYSTEM”, filed on Jul. 8,2017 by VMware, Inc, which is herein incorporated in its entirety byreference for all purposes.

BACKGROUND

An enterprise can use a management service capable of protectingenterprise data, like email and corporate documents, from theft, dataloss, and unauthorized access. The enterprise can require devices usedby employees to be enrolled with the management service to protectenterprise data. These managed devices can include enterprise-owneddevices and bring-your-own-device (BYOD) technologies. With the emerginguse of BYOD technologies by enterprises, management systems areincreasingly likely to require support for a variety of devices and avariety of platforms. Platforms that include features or optionsdirected to supporting both enterprise use and personal use can bereferred to as management platforms. Management platforms includeversions of the Android operating system. When used in an enterprisesetting, Android can be referred to as “Android enterprise,” “Android inthe enterprise,” or “Android for Work.”

Management of these devices in an enterprise environment can providevarious management options for an administrator. An administrator candefine and enforce compliance policies or rules on a particular device.The administrator can also push applications to a user's enrolleddevice. The administrator can also cause various profiles to beinstalled on a user's device, such as a security certificate, wirelessnetwork credentials, authentication tokens, or other data. Theadministrator can leverage a management service that is executedremotely from a user's device that is in communication with a managementcomponent or application that is installed on the user's device. Themanagement component can enforce policies or rules, install or deletedata from the device, or take other enforcement actions on the device onbehalf of the management service.

In some scenarios, an administrator might wish to impose restrictions onapplications that are installed on the user's device, such as when theyare permitted to access a network connection of the device. However,without modifying the application code itself, it can be difficult toenforce these restrictions.

BRIEF DESCRIPTION OF THE DRAWINGS

Many aspects of the present disclosure can be better understood withreference to the following drawings. The components in the drawings arenot necessarily to scale, with emphasis instead being placed uponclearly illustrating the principles of the disclosure. Moreover, in thedrawings, like reference numerals designate corresponding partsthroughout the several views.

FIG. 1 is a drawing of an example of a networked environment including amanagement system and a client device.

FIG. 2 is a sequence diagram illustrating functionality implemented bycomponents of the networked environment.

FIG. 3 is a sequence diagram illustrating functionality implemented bycomponents of the networked environment.

FIGS. 4-5 are flowcharts illustrating functionality implemented bycomponents of the networked environment.

DETAILED DESCRIPTION

The present disclosure relates to enforcing networking restrictions onvarious applications that are installed on a user's client device. Inparticular, in the case of a managed client device that is enrolled witha management platform, examples of the disclosure can enforce networkaccess rules on applications that are installed on the client device.Examples of the disclosure can use various approaches. First, theoperating system network permissions for a particular application can bemodified to enforce rules specified by a network whitelist or blacklist.Another approach involves installing and registering a global proxy onthe user's device through which network traffic is routed, which canenforce network whitelist or blacklist rules. A third approach involvesleveraging an operating system application programming interface (API)that allows the operating system to restrict certain applications' usageof background data or a network connection to enforce network whitelistor blacklist rules.

With reference to FIG. 1, shown is an example of a networked environment100. The networked environment 100 can include a management system 106and a client device 109 in communication with one another over a network112. An enterprise can issue the client device 109 to a user, or theclient device 109 can be provided by the user. The client device 109 canbe enrolled with a management service 130 of the management system 106.The client device 109 can be representative of multiple client devices109. The client device 109 can run an operating system that permitsenrollment and management of the device by a remotely executedmanagement service 130, such as the Android operating system, iOS®,Microsoft Windows®, or other operating systems with management APIs.

The network 112 can include, for example, the Internet, intranets,extranets, wide area networks (WANs), local area networks (LANs), wirednetworks, wireless networks, other suitable networks, or any combinationof two or more networks. For example, the networks can include satellitenetworks, cable networks, Ethernet networks, telephony networks, andother types of networks.

The management system 106 can include, for example, a server computer orany other system providing computing capability. Alternatively, themanagement system 106 can include a plurality of computing devices thatare arranged, for example, in one or more server banks, computer banks,or other arrangements. The management systems 106 can include a gridcomputing resource or any other distributed computing arrangement. Thecomputing devices can be located in a single installation or can bedistributed among many different geographical locations. The managementsystems 106 can also include or be operated as one or more virtualizedcomputer instances. For purposes of convenience, the management system106 is referred to herein in the singular. Even though the managementsystem 106 is referred to in the singular, it is understood that aplurality of management systems 106 can be employed in the variousarrangements as described above.

The management system 106 executes a management service 130 to overseethe management of the client devices 109. An enterprise can utilize themanagement service 130 to oversee or manage the operation of the clientdevices 109 of its employees, contractors, customers, students, or otherusers having user accounts with the enterprise. The management service130 can remotely configure the client device 109 by interacting with anagent application, a management component 177 that is executed on theclient device 109.

The management system 106 can execute an application that provides auser interface into the management capabilities of the managementservice 130. For example, an administrative console 132, through anapplication, web application, and/or network site, can provide a userinterface for administration of the management service 130. Theadministrative console 132 can also provide for the creation of networkwhitelist or blacklist rules that can be enforced for specifiedapplications on enrolled client devices 109.

The management service 130 can transmit various software components tothe client device 109, which are then installed or configured by themanagement component 177. Software components can include, for example,additional applications 175, profiles, policies, resources, libraries,drivers, device configurations, or other similar components that requireinstallation on the client device 109 as specified by an administratorof the management service 130. The management service 130 can furthercause policies to be implemented on a client device 109. Policies caninclude, for example, restrictions or permissions pertaining tocapabilities of a client device 109. For instance, policies can requirecertain hardware or software functions of the client device 109 to beenabled or be disabled during a certain time period or when the clientdevice 109 is physically located at a particular location. Policies canbe implemented by the management component 177.

The management service 130 can have a command queue storing at least oneaction to perform on the particular client device 109 upon check-in ofthe client device 109. For instance, the management component 177 cancause the client device 109 to check-in with the management service,identify an action in the command queue, and perform the action. Anaction can be the installation of a management profile, or the executionof a command or other actions to install software components orimplement policies. A management profile can include a set ofattributes, features, services, configurations, and settings that areassociated with a device and/or a user. In some cases, the managementcomponent 177 can cause a check-in of the client device 109periodically, on a schedule, or upon an event such as entering aphysical location, changing a state of the client device 109, orinstalling an application on the client device 109. In one example, thecontents of the command queue can include a command that the managementcomponent 177 causes to be executed on the client device 109. In anotherexample, the contents of the command queue can include a resource or anapplication 175 that the management component 177 causes to be installedon the client device 109, which the client device 109 may access througha specified uniform resource identifier (URI) or a uniform resourcelocator (URL).

Also, the management service 130 can request that the client device 109check-in using a notification service like APPLE® Push NotificationService (APNS), GOOGLE® Cloud Messaging (GCM), or WINDOWS® PushNotification Services (WNS). For example, the management service 130 cantransmit a request to the notification service requesting that theclient device 109 check-in. The notification service can push orotherwise route a notification to the client device 109. Once thenotification is received, the management component 177 can cause theclient device 109 to check-in with the management service 130. Asdescribed above, the management component 177 can determine whether acommand queue provided by the management service 130 for the respectiveclient device 109 contains any commands or resources for the clientdevice 109, and, if so, can cause the commands or resources to bedownloaded and/or implemented on the client device 109.

The data store 127 can include storage resources accessible to themanagement service 130, memory of the management system 106, massstorage resources of the management system 106, or any other storageresources on which data can be stored by the management system 106. Thedata stored in the data store 127 can include, for example, device data135, enterprise data 138, compliance rules 141, a network whitelist 143,a network blacklist 145, and other data.

Generally, device data 135 includes data associated with a configurationof a client device 109 enrolled or managed by the management service130. The device data can include an identifier of the client device 109.The identifier can be a serial number, media access control (MAC)address, other network address, or another device identifier. Devicedata 135 can also include data pertaining to a user of each clientdevice 109. In addition, the device data 135 can include an enrollmentstatus indicating whether a client device 109 has been enrolled with themanagement service 130. In one example, a client device 109 designatedas “enrolled” can be permitted to access the enterprise data 138 while aclient device 109 designated as “not enrolled,” or having nodesignation, can be denied access to the enterprise data 138.

Additionally, device data 135 can include indications of the state ofthe client device 109. In one example, these indications can specifyapplications that are installed on the client device 109, configurationsor settings that are applied to the client device 109, user accountsassociated with the client device 109, the physical location of theclient device 109, the network to which the client device 109 isconnected, and other information describing the current state of theclient device 109.

Further, device data 135 can also include data pertaining toorganization groups. The device data 135 can include a device recordassociated with each client device 109. The device record(s) can includea file or table that includes the device data 135 that is associatedwith each client device 109. A device record format for client devices109 that use a management platform can be different from a device recordfor client devices 109 that do not use the management platform.

Compliance rules 141 can include, for example, configurable criteriathat must be satisfied for an enrolled one of the client devices 109 tobe “in compliance” with the management service 130. The compliance rulescan be based on a number of factors including geographical location ofthe client device 109, activation status, enrollment status,authentication data including authentication data obtained by a deviceregistration system, time, and date, and network properties, among otherfactors. The compliance rules can also be determined based on a userprofile associated with a user. The user profile can be identified byobtaining authentication data associated with the client device 109. Theuser profile can be associated with compliance rules that are furtherdetermined based on time, date, geographical location and networkproperties detected by the client device 109. The user profile canfurther be associated with an organization group, and compliance rulescan be determined in view of the organization group.

Compliance rules 141 can include predefined constraints that must be metin order for the management service 130, or other applications, topermit access to the enterprise data 138 or other features of the clientdevice 109. In some examples, the management service 130 communicateswith a management application, a migration application, or anotherapplication 175 executable on the client device 109 to determine whetherstates exist on the client device 109 that do not satisfy one or morecompliance rules 141. Some of these states can include, for example, avirus or malware being detected on the client device 109; installationor execution of a blacklisted application 175; or a client device 109being “rooted” or “jailbroken,” where root access is provided to a userof the client device 109. Additional states can include the presence ofparticular files, questionable device configurations, vulnerableversions of applications 175, or other vulnerability, as can beappreciated. In some examples, the compliance rules 141 can beconfigured in the management service 130, as specified by anadministrator through a user interface of the management service 130.

Client devices 109 can also be organized into organization groups. Groupdata can include information pertaining to various organization groupsof an enterprise. An administrator can specify one or more of the clientdevices 109 as belonging to an organization group. Organization groupscan be created by an administrator of the management service 130 so abatch of client devices 109 can be configured according to commonsettings. For instance, an enterprise can create respective organizationgroups for the marketing department and the sales department, where theclient devices 109 in the marketing department are configureddifferently from the client devices 109 in the sales department. A groupcan be associated with particular management profiles, policies,applications, data formats, and other configuration details.

A network whitelist 143 can identify applications 175 in an applicationrepository, such as an application store or application marketplace,along with a network whitelist rule for each identified application 175.For example, an administrator can define a network whitelist rule for aparticular application that is distributed by or approved forinstallation by the enterprise on a client device 109. The networkwhitelist rule can specify whether the application is permitted tocommunicate over a cellular network connection of the client device 109or particular Wi-Fi network connections of the client device 109. Inother words, the whitelist network rule can identify particular networkstates that an application is entitled to access a network connection ofthe client device 109. In one example, the network whitelist can specifythat a particular application is permitted to access the networkconnection of the client device 109 only when the network state matchesthe state that is specified by the network whitelist rule.

In one example, a network whitelist rule can specify that an application175 is permitted to access the network connection of the client device109 to communicate with the network 112 when the client device 109 isconnected to a managed Wi-Fi network. In this scenario, a managed Wi-Finetwork is a Wi-Fi network for which the management service 130 hasconfigured or pushed credentials to the management component 177. Inthis scenario, if the client device 109 is connected to any other Wi-Finetwork, or an unmanaged Wi-Fi network, the particular application 175is not permitted to access the network connection of the client device109. If the client device 109 is only connected to a cellular network,the application 175 is not permitted to access the network connection ofthe client device 109.

In another example, a network whitelist rule can specify that anapplication 175 is permitted to access the network connection of theclient device 109 when the client device 109 is connected to anunmanaged Wi-Fi network. In this scenario, if the client device 109 isconnected to a managed Wi-Fi network, the application 175 is notpermitted to access the network connection of the client device 109. Ifthe client device 109 is only connected to a cellular network, theapplication 175 is not permitted to access the network connection of theclient device 109.

In another example, a network whitelist rule can specify that anapplication 175 is permitted to access the network connection of theclient device 109 when the client device 109 is not connected to a Wi-Finetwork. In this scenario, if the client device 109 is connected to aWi-Fi network, the application 175 is not permitted to access thenetwork connection of the client device 109. If the client device 109 isonly connected to a cellular network, the application 175 is permittedto access the network connection of the client device 109.

A network whitelist 143 can identify applications 175 to which itapplies by identifying an application identifier, which can be a bundleidentifier, or any other identifier that uniquely identifies anapplication 175 with respect to other applications 175 on the clientdevice 109.

A network blacklist 145 can identify applications 175 in an applicationrepository, such as an application store or application marketplace,along with a network blacklist rule for each identified application 175.For example, an administrator can define a network blacklist rule for aparticular application that is distributed by or approved forinstallation by the enterprise on a client device 109. The networkblacklist rule can specify conditions under which the application 175 isnot permitted or is restricted from communicating over a cellularnetwork connection of the client device 109 or particular Wi-Fi networkconnections of the client device 109. In other words, the blacklistnetwork rule can identify particular network states that an applicationis not entitled to access a network connection of the client device 109.The application 175 can be permitted to access the network connection inall other instances. In one example, the network blacklist 145 canspecify that a particular application is not permitted to access thenetwork connection of the client device 109 when the network statematches the state that is specified by the network blacklist rule.

In one example, a network blacklist rule can specify that an application175 is not permitted to access the network connection of the clientdevice 109 to communicate with the 112 when the client device 109 isconnected to a managed Wi-Fi network. In this scenario, a managed Wi-Finetwork is a Wi-Fi network for which the management service 130 hasconfigured or pushed credentials to the management component 177. Inthis scenario, if the client device 109 is connected to any other Wi-Finetwork, or an unmanaged Wi-Fi network, the particular application 175is permitted to access the network connection of the client device 109.If the client device 109 is only connected to a cellular network, theapplication 175 is permitted to access the network connection of theclient device 109.

In another example, a network blacklist rule can specify that anapplication 175 is not permitted to access the network connection of theclient device 109 when the client device 109 is connected to anunmanaged Wi-Fi network. In this scenario, if the client device 109 isconnected to a managed Wi-Fi network, the application 175 is permittedto access the network connection of the client device 109. If the clientdevice 109 is only connected to a cellular network, the application 175is permitted to access the network connection of the client device 109.

In another example, a network whitelist rule can specify that anapplication 175 is not permitted to access the network connection of theclient device 109 when the client device 109 is connected to a Wi-Finetwork. In this scenario, if the client device 109 is connected to aWi-Fi network, the application 175 is not permitted to access thenetwork connection of the client device 109. If the client device 109 isonly connected to a cellular network, the application 175 is permittedto access the network connection of the client device 109.

A network blacklist 145 can identify applications 175 to which itapplies by identifying an application identifier, which can be a bundleidentifier, or any other identifier that uniquely identifies anapplication 175 with respect to other applications 175 on the clientdevice 109.

The client device 109 can be representative of one or more clientdevices 109. The client device 109 can include a processor-based system,such as a computer system, that can include a desktop computer, a laptopcomputer, a personal digital assistant, a cellular telephone, asmartphone, a set-top step, a music player, a tablet computer system, agame console, an electronic book reader, a smartwatch, or any otherdevice with like capability. The client device 109 can have an operatingsystem 170 that can perform functionalities and execute applications.The client device 109 can also execute applications 175, a managementcomponent 177 and/or other applications. Some of the applications 175can be deployed onto the client device 109 by the management service 130through the management component 177. Other applications 175 can bedownloaded and installed by a user from a n application repository. Forsome client devices 109, the operating system 170 can be part of amanagement platform and can be considered a management platformoperating system (OS) that supports management platform features likemultilayered protection, application-level security, and separation ofenterprise data from personal data. For other client devices 109, theoperating system 170 can be a non-management platform OS that does notsupport management platform features.

The client device 109 can also be equipped with networking capability ornetworking interfaces, including a localized networking or communicationcapability, such as a near-field communication (NFC) capability,radio-frequency identification (RFID) read or write capability, or otherlocalized communication capability. In some embodiments, the clientdevice 109 is mobile where the client device 109 is easily portable fromone location to another. The operating system 170 can control access tothe network 112 by applications 175 that are installed on the clientdevice 109. According to embodiments of the disclosure, access to thenetwork 112 or networking capabilities of the operating system 170 andthus the client device 109 can be controlled through use of the networkwhitelist 143 and/or network blacklist 145.

To this end, the management component 177 can obtain the networkwhitelist 143 and network blacklist 145 and save them within a datastore 127 that is local to the client device 109. The local copies ofthe whitelist and blacklist can be consulted by the management componentwhen modifying the network access permissions of the variousapplications 175 installed on the client device 109. Accordingly, anadministrator can determine the network access permissions ofapplications that a user might install or that might be deployed ontothe client device 109, and the network whitelist 143 and networkblacklist 145 can be deployed to the management component 177 associatedwith the various client devices 109 that are enrolled with themanagement service 130.

In one implementation, when the user enrolls his or her device as amanaged device, the management component 177 is installed with elevatedor administrator privileges such that it can take actions with respectto operating system network permissions of various applications. Inparticular, in an Android for Work® or Android for Enterprise®deployment, the management component 177 can modify operating systemparameters or permissions regarding network access of an application.Accordingly, the management component 177 can monitor the network stateof the client device 109 and adjust the various operating system networkpermissions of applications 175 installed on the device to be consistentwith the rules specified by the network whitelist 143 and networkblacklist 145.

As the network state of the client device 109 changes, so do thepermission of applications 175 to access the network connection of theclient device 109. Accordingly, reference is now made to FIGS. 2-3,which illustrates various approaches to enforcing the network whitelist143 and network blacklist 145.

In FIG. 2, shown is a sequence diagram illustrating steps performed bycomponents of the networked environment 100 for enforcing a networkwhitelist 143 and network blacklist 145 on a client device 109 that isenrolled with the management service 130 as a managed device. In thesequence depicted in FIG. 2, it is assumed that the management component177 has obtained the network whitelist 143 and/or network blacklist 145from the management service 130. Additionally, in some examples, themanagement service 130 can provision one or more managed Wi-Fi networkcredentials onto the client device 109 through the management component177. In this scenario, the management component 177 can log which Wi-Finetworks have been provisioned on the client device 109 by themanagement service 130.

First, at step 201, the operating system 170 can provide the networkstate or network status of the client device 109 to the managementcomponent 177. The network state of the client device 109 can specifywhich network or networks to which the client device 109 is connected.For example, the network state can identify the cellular networks andWi-Fi networks, if any, to which the client device 109 is currentlyconnected. In one implementation, whenever the network state of theclient device 109 changes, the operating system 170 can provide thenetwork state to the management component 177. In one example, themanagement component 177 subscribes to alerts from the operating system170 regarding the network state of the client device 109 to themanagement component 177.

Upon receiving the network state of the client device 109, themanagement component 177 can consult the network whitelist 143 andnetwork blacklist 145 obtained from the management service 130 todetermine whether any applications 175 installed on the client device109 are required to have their respect abilities to access the networkconnection of the client device 109 adjusted. For example, if the clientdevice 109 connects to a different Wi-Fi network that is a managed Wi-Finetwork, the management component 177 can determine whether the networkwhitelist 143 or network blacklist 145 specify network accesspermissions that require modification. For example, if the client device109 connects to a different Wi-Fi network that is an unmanaged Wi-Finetwork, the management component 177 can determine whether the networkwhitelist 143 or network blacklist 145 specify network accesspermissions that require modification.

In many Android for Work® or Android Enterprise® implementations, themanagement component 177 is installed with privileges that allow it tomodify operating system permissions for installed applications 175.Among these permissions are network access permissions. In one scenario,there are three possible values for a network access permission for anapplication: allow, deny, or default. In the “allow” case, theapplication 175 is permitted to access the network connection of theclient device 109. In the “deny” case, the application 175 is notpermitted to access the network connection of the client device 109. Inthe “default” case, the user is prompted to allow or deny access to thenetwork connection of the client device 109.

At 203, the management component 177 can consult the network whitelist143 and network blacklist 145 to determine whether the network statusrequires updating of client application network permissions.

Accordingly, at 205, upon consulting the network access permissionsspecified by the network whitelist 143 or network blacklist 145, themanagement component 177 can modify the operating system networkpermissions of the applications 175 installed on the client device 109in response to the network state received from the operating system 170.The changes in the operating system network permissions can grant ordeny access to the network connection for the installed applications175.

Subsequent to a change in the network state, the application 175 mightrequest access to the network connection of the client device 109through the operating system 170, which is shown in step 207. In onescenario, such a request can take the form of the application 175requesting to send a packet or other data via the network stack of theoperating system 170.

At step 209, the operating system 170 can determine whether to grant ordeny access to the network connection of the client device 109 basedupon the operating system network permission that is specified for theinstalled application 175.

At step 211, the operating system 170 can either approve or deny accessto the network connection based upon the defined permission. In theevent that the network permission is set to “allow,” or an analogousvalue, the operating system 170 can forward the packet or data beingsent by the application 175. In the event that the network permission isset to “deny,” or an analogous value, the operating system 170 canreturn an error to the application 175.

In FIG. 3, shown is a sequence diagram illustrating steps performed bycomponents of the networked environment 100 for enforcing a networkwhitelist 143 and network blacklist 145 on a client device 109 that isenrolled with the management service 130 as a managed device. In thesequence depicted in FIG. 3, it is assumed that the management component177 has obtained the network whitelist 143 and/or network blacklist 145from the management service 130. Additionally, in some examples, themanagement service 130 can provision one or more managed Wi-Fi networkcredentials onto the client device 109 through the management component177. In this scenario, the management component 177 can log which Wi-Finetworks have been provisioned on the client device 109 by themanagement service 130. FIG. 3 also depicts an alternative approach toenforcing the network whitelist 143 and/or network blacklist 145 on thevarious applications 175 that are installed on the client device 109.

First, at step 301, the management component 130 can register as theglobal proxy for all network traffic, for all HTTP traffic, all HTTPStraffic, or any combination thereof. In many platforms, such as theAndroid operating system, an application can register as a network proxythrough which certain or all network traffic is routed. In some cases,the application that registers as the global proxy must be anapplication that is installed with elevated privileges. For example, theapplication that registers as the global proxy might be required to bethe device administrator in order to register as the global proxy on thedevice.

In an example of the disclosure, the application registering as theglobal proxy can be the management component 177, which can obtain thenetwork whitelist 143 and network blacklist 145 from the managementservice 130. As the global proxy on the client device 109 through whichnetwork traffic is routed, the management component 177 can enforce thenetwork whitelist 143 and network blacklist 145 on the applications 175that are installed on the client device 109 and that attempt to accessthe network connection of the client device 109. In some implementationsof this disclosure, another application can register as the global proxyand enforce network access restrictions on behalf of the managementcomponent 177.

As the global proxy of the operating system 170, the managementcomponent 177 can obtain the network state of the client device 109.Again, the network state of the client device 109 can specify whichnetwork or networks to which the client device 109 is connected. Forexample, the network state can identify the cellular networks and Wi-Finetworks, if any, to which the client device 109 is currently connected.

At step 303, an application 175 installed on the client device 109 canrequest access to the network connection of the client device 109through the operating system 170. In one scenario, such a request cantake the form of the application 175 requesting to send a packet orother data via the network stack of the operating system 170.

At step 305, the operating system 170 can determine that the managementservice 130 has registered as the global proxy on the device and forwardthe request to the management component 177 for processing. Again, asthe global network proxy on the client device 109, all network trafficcan be routed through the management component 177.

At step 307, the management component 177 can consult the networkwhitelist 143 and network blacklist 145 obtained from the managementservice 130 to determine whether the request should be routed to itsdestination based upon the current network state of the client device109. For example, if the client device 109 connects to a different Wi-Finetwork that is a managed Wi-Fi network, the management component 177can determine whether the network whitelist 143 or network blacklist 145specify that the request should be routed to its requested destination.

At step 309, the management component 177 can determine whether to grantor deny access to the network connection of the client device 109 basedupon the operating system network permission that is specified for theinstalled application 175. In some cases, the management component 177can return an error message to the application 175 in the event that arequest is denied based upon a rule specified in a network whitelist 143or network blacklist 145. In the event of a request being granted, themanagement component 177 can route the network traffic from theapplication 175 to its destination.

FIG. 4 shows a flowchart 400 that illustrates an example of theoperation of the management component 177 for enforcing network accesspermissions for applications 175 according to the approach depicted inFIG. 2.

In the method depicted in FIG. 4, it is assumed that the managementcomponent 177 has obtained the network whitelist 143 and/or networkblacklist 145 from the management service 130. Additionally, in someexamples, the management service 130 can provision one or more managedWi-Fi network credentials onto the client device 109 through themanagement component 177. In this scenario, the management component 177can log which Wi-Fi networks have been provisioned on the client device109 by the management service 130.

First, at step 403, the management component 177 can obtain from theoperating system 170 the network state or network status of the clientdevice 109. The network state of the client device 109 can specify whichnetwork or networks to which the client device 109 is connected. Forexample, the network state can identify the cellular networks and Wi-Finetworks, if any, to which the client device 109 is currently connected.In one implementation, whenever the network state of the client device109 changes, the operating system 170 can provide the network state tothe management component 177. In one example, the management component177 subscribe to alerts from the operating system 170 regarding thenetwork state of the client device 109 to the management component 177.

At step 406, the management component 177 can obtain the networkwhitelist 143 and/or network blacklist 145 that is installed on theclient device 109. As noted above, the management service 130 can deploythe network whitelist 143 and network blacklist 145 onto the clientdevice 109. The network whitelist 143 and network blacklist 145 canspecify the network access rules that apply to applications 175 thatmight be installed on the client device 109.

At step 409, the management component 177 can consult the networkwhitelist 143 and network blacklist 145 obtained from the managementservice 130 to identify applications 175 installed on the client device109 that are identified by a network whitelist 143 and/or networkblacklist 145.

At step 412, the management component 177 can determine whether anyapplications 175 installed on the client device 109 are required to havetheir respective abilities to access the network connection of theclient device 109 adjusted. For example, if the client device 109connects to a different Wi-Fi network that is a managed Wi-Fi network,the management component 177 can determine whether the network whitelist143 or network blacklist 145 specify network access permissions thatrequire modification. For example, if the client device 109 connects toa different Wi-Fi network that is an unmanaged Wi-Fi network, themanagement component 177 can determine whether the network whitelist 143or network blacklist 145 specify network access permissions that requiremodification.

In many Android for Work® or Android Enterprise® implementations, themanagement component 177 is installed with privileges that allow it tomodify operating system permissions for installed applications 175.Among these permissions are network access permissions. In one scenario,there are three possible values for a network access permission for anapplication: allow, deny, or default. In the “allow” case, theapplication 175 is permitted to access the network connection of theclient device 109. In the “deny” case, the application 175 is notpermitted to access the network connection of the client device 109. Inthe “default” case, the user is prompted to allow or deny access to thenetwork connection of the client device 109.

Accordingly, at step 415, upon consulting the network access permissionsspecified by the network whitelist 143 or network blacklist 145, themanagement component 177 can modify the operating system networkpermissions of the applications 175 installed on the client device 109in response to the network state received from the operating system 170.The changes in the operating system network permissions can grant ordeny access to the network connection for the installed applications175.

Subsequent to a change in the network state, the application 175 mightrequest access to the network connection of the client device 109through the operating system 170. In one scenario, such a request cantake the form of the application 175 requesting to send a packet orother data via the network stack of the operating system 170. Theoperating system 170 can determine whether to grant or deny access tothe network connection of the client device 109 based upon the operatingsystem network permission that is specified for the installedapplication 175. Thereafter, the process can proceed to completion untila subsequent change in the network state of the client device 109.

FIG. 5 shows a flowchart 500 that illustrates an example of theoperation of the management component 177 for enforcing network accesspermissions for applications 175 according to the approach depicted inFIG. 3. The management component 177 can enforce a network whitelist 143and network blacklist 145 on a client device 109 that is enrolled withthe management service 130 as a managed device. In the method depictedin FIG. 5, it is assumed that the management component 177 has obtainedthe network whitelist 143 and/or network blacklist 145 from themanagement service 130. Additionally, in some examples, the managementservice 130 can provision one or more managed Wi-Fi network credentialsonto the client device 109 through the management component 177. In thisscenario, the management component 177 can log which Wi-Fi networks havebeen provisioned on the client device 109 by the management service 130.

First, at step 503, the management component 130 can register as theglobal proxy for all network traffic, for all HTTP traffic, all HTTPStraffic, or any combination thereof. In many platforms, such as theAndroid operating system, an application can register as a network proxythrough which certain or all network traffic is routed. In some cases,the application that registers as the global proxy must be anapplication that is installed with elevated privileges. For example, theapplication that registers as the global proxy might be required to bethe device administrator in order to register as the global proxy on thedevice.

In an example of the disclosure, the application registering as theglobal proxy can be the management component 177, which can obtain thenetwork whitelist 143 and network blacklist 145 from the managementservice 130. As the global proxy on the client device 109 through whichnetwork traffic is routed, the management component 177 can enforce thenetwork whitelist 143 and network blacklist 145 on the applications 175that are installed on the client device 109 and that attempt to accessthe network connection of the client device 109. In some implementationsof this disclosure, another application can register as the global proxyand enforce network access restrictions on behalf of the managementcomponent 177.

As the global proxy of the operating system 170, the managementcomponent 177 can obtain the network state of the client device 109.Again, the network state of the client device 109 can specify whichnetwork or networks to which the client device 109 is connected. Forexample, the network state can identify the cellular networks and Wi-Finetworks, if any, to which the client device 109 is currently connected.

At step 506, the management component 175 can obtain a request to accessthe network connection of the client device 109 that is made on behalfof an application 175 installed on the client device 109. The requestcan be obtained from the operating system 170, which can forward therequest to the management component 177 or directly from the application175. In one scenario, such a request from the application 175 can takethe form of the application 175 requesting to send a packet or otherdata via the network stack of the operating system 170.

At step 509, the management component 177 can consult the networkwhitelist 143 and network blacklist 145 obtained from the managementservice 130 to determine whether the request should be routed to itsdestination based upon the current network state of the client device109. For example, if the client device 109 connects to a different Wi-Finetwork that is a managed Wi-Fi network, the management component 177can determine whether the network whitelist 143 or network blacklist 145specify that the request should be routed to its requested destination.

At step 512, the management component 177 can determine whether to grantor deny access to the network connection of the client device 109 basedupon the operating system network permission that is specified for theinstalled application 175. In some cases, the management component 177can return an error message to the application 175 in the event that arequest is denied based upon a rule specified in a network whitelist 143or network blacklist 145. In the event of a request being granted, themanagement component 177 can route the network traffic from theapplication 175 to its destination. Thereafter, the process proceeds tocompletion. Upon receiving a subsequent request from or on behalf of anapplication 175 to access the network connection of the client device109, the method can proceed from step 506 until completion, as themanagement component 177 or another application on behalf of themanagement component 177 has been registered as the global proxy on theclient device 109.

A number of software components are stored in the memory and executableby a processor. In this respect, the term “executable” means a programfile that is in a form that can ultimately be run by the processor.Examples of executable programs can be, for example, a compiled programthat can be translated into machine code in a format that can be loadedinto a random access portion of one or more of the memory devices andrun by the processor, code that can be expressed in a format such asobject code that is capable of being loaded into a random access portionof the one or more memory devices and executed by the processor, or codethat can be interpreted by another executable program to generateinstructions in a random access portion of the memory devices to beexecuted by the processor. An executable program can be stored in anyportion or component of the memory devices including, for example,random access memory (RAM), read-only memory (ROM), hard drive,solid-state drive, USB flash drive, memory card, optical disc such ascompact disc (CD) or digital versatile disc (DVD), floppy disk, magnetictape, or other memory components.

Memory can include both volatile and nonvolatile memory and data storagecomponents. Also, a processor can represent multiple processors and/ormultiple processor cores, and the one or more memory devices canrepresent multiple memories that operate in parallel processingcircuits, respectively. Memory devices can also represent a combinationof various types of storage devices, such as RAM, mass storage devices,flash memory, or hard disk storage. In such a case, a local interfacecan be an appropriate network that facilitates communication between anytwo of the multiple processors or between any processor and any of thememory devices. The local interface can include additional systemsdesigned to coordinate this communication, including, for example,performing load balancing. The processor can be of electrical or of someother available construction.

The client devices 109 can include a display upon which a user interfacegenerated by the application 175 or another application can be rendered.In some examples, the user interface can be generated with userinterface data provided by the management service 130. The client device109 can also include one or more input/output devices that can include,for example, a capacitive touchscreen or other type of touch inputdevice, fingerprint reader, or keyboard.

Although the management service 130, applications 175, managementcomponent 177, and other various services and functions described hereincan be embodied in software or code executed by general purpose hardwareas discussed above, as an alternative the same can also be embodied indedicated hardware or a combination of software/general purpose hardwareand dedicated hardware. If embodied in dedicated hardware, each can beimplemented as a circuit or state machine that employs any one of or acombination of a number of technologies. These technologies can includediscrete logic circuits having logic gates for implementing variouslogic functions upon an application of one or more data signals,application specific integrated circuits (ASICs) having appropriatelogic gates, field-programmable gate arrays (FPGAs), or othercomponents.

The sequence diagram and flowcharts show examples of the functionalityand operation of an implementation of portions of components describedherein. If embodied in software, each block can represent a module,segment, or portion of code that can include program instructions toimplement the specified logical function(s). The program instructionscan be embodied in the form of source code that can includehuman-readable statements written in a programming language or machinecode that can include numerical instructions recognizable by a suitableexecution system such as a processor in a computer system or othersystem. The machine code can be converted from the source code. Ifembodied in hardware, each block can represent a circuit or a number ofinterconnected circuits to implement the specified logical function(s).

Although the sequence diagram and flowcharts show a specific order ofexecution, it is understood that the order of execution can differ fromthat which is depicted. For example, the order of execution of two ormore blocks can be scrambled relative to the order shown. Also, two ormore blocks shown in succession can be executed concurrently or withpartial concurrence. Further, in some embodiments, one or more of theblocks shown in the drawings can be skipped or omitted.

Also, any logic or application described herein that includes softwareor code can be embodied in any non-transitory computer-readable mediumfor use by or in connection with an instruction execution system such asa processor in a computer system or other system. In this sense, thelogic can include, for example, statements including instructions anddeclarations that can be fetched from the computer-readable medium andexecuted by the instruction execution system. In the context of thepresent disclosure, a “computer-readable medium” can be any medium thatcan contain, store, or maintain the logic or application describedherein for use by or in connection with the instruction executionsystem.

The computer-readable medium can include any one of many physical media,such as magnetic, optical, or semiconductor media. More specificexamples of a suitable computer-readable medium include solid-statedrives or flash memory. Further, any logic or application describedherein can be implemented and structured in a variety of ways. Forexample, one or more applications can be implemented as modules orcomponents of a single application. Further, one or more applicationsdescribed herein can be executed in shared or separate computing devicesor a combination thereof. For example, a plurality of the applicationsdescribed herein can execute in the same computing device, or inmultiple computing devices.

It is emphasized that the above-described embodiments of the presentdisclosure are merely possible examples of implementations described fora clear understanding of the principles of the disclosure. Manyvariations and modifications can be made to the above-describedembodiments without departing substantially from the spirit andprinciples of the disclosure. All such modifications and variations areintended to be included herein within the scope of this disclosure.

What is claimed is:
 1. A system, comprising: a client device; and amanagement component executable in the client device that, whenexecuted, causes the at least one computing device to: initiateenrollment of the client device with a management service based upon auser credential associated with a user account accessible to themanagement service; obtain a network whitelist associated with the useraccount, the network whitelist identifying an application and arespective network permission associated with the application, therespective network permission specifying at least one condition underwhich the application is permitted to access a network connection;determine a current network status of the client device; determine thatthe application is allowed to access or disallowed from accessing thenetwork connection based upon the current network status; and modify anoperating system network permission associated with the applicationbased upon the determination that the application is allowed to accessor disallowed from accessing the network connection.
 2. The system ofclaim 1, wherein the operating system network permission comprises atleast one of an Android Internet permission or an Android network stateaccess permission.
 3. The system of claim 1, wherein the respectivenetwork permission specifies whether the application is permitted toaccess the network connection when the client device is connected to aparticular WiFi network.
 4. The system of claim 1, wherein themanagement component is configured to block a request from theapplication to access the network connection when the current networkstatus is inconsistent with the respective network permission specifiedby the network whitelist, wherein the request is blocked by modifyingthe operating system network permission.
 5. The system of claim 1,wherein the management component further causes the at least onecomputing device to obtain a network blacklist associated with the useraccount, the network blacklist identifying another application andanother respective network permission associated with the otherapplication, the other respective network permission specifying at leastone condition under which the application is not permitted to access thenetwork connection.
 6. The system of claim 1, wherein when executed themanagement service further causes the at least one computing device toblock a request from the application to access the network connectionwhen the current network status is specified by the other respectivenetwork permission specified by the network blacklist.
 7. The system ofclaim 1, wherein when executed the management service further causes theat least one computing device to permit the application to access thenetwork connection when the current network status is not specified bythe other respective network permission specified by the networkblacklist, wherein the application is permitted by modifying theoperating system network permission.
 8. The system of claim 1, whereinwhen executed the management service further causes the at least onecomputing device to block the application from accessing the networkconnection when the current network status is specified by the otherrespective network permission specified by the network blacklist,wherein the application is blocked by modifying the operating systemnetwork permission.
 9. A method implemented by a management componentinstalled on a client device, comprising: initiating enrollment of theclient device with a management service based upon a user credentialassociated with a user account accessible to the management service;obtaining a network whitelist associated with the user account, thenetwork whitelist identifying an application and a respective networkpermission associated with the application, the respective networkpermission specifying at least one condition under which the applicationis permitted to access a network connection; determining a currentnetwork status of the client device; determining that the application isallowed to access or disallowed from accessing the network connectionbased upon the current network status; and modifying an operating systemnetwork permission associated with the application based upon thedetermination that the application is allowed to access or disallowedfrom accessing the network connection.
 10. The method of claim 9,wherein the operating system network permission comprises at least oneof an Android Internet permission or an Android network state accesspermission.
 11. The method of claim 9, wherein the respective networkpermission specifies whether the application is permitted to access thenetwork connection when the client device is connected to a particularWiFi network.
 12. The method of claim 9, further comprising blocking arequest from the application to access the network connection when thecurrent network status is inconsistent with the respective networkpermission specified by the network whitelist, wherein the request isblocked by modifying the operating system network permission.
 13. Themethod of claim 9, wherein the management component is installed on theclient device as a device administrator.
 14. The method of claim 9,further comprising obtaining a network blacklist associated with theuser account, the network blacklist identifying another application andanother respective network permission associated with the otherapplication, the other respective network permission specifying at leastone condition under which the application is not permitted to access thenetwork connection.
 15. The method of claim 9, further comprisingblocking a request from the application to access the network connectionwhen the current network status is specified by the other respectivenetwork permission specified by the network blacklist.
 16. Anon-transitory computer-readable medium embodying a management componentexecutable in a client device that, when executed, causes the clientdevice to: initiate enrollment of the client device with a managementservice based upon a user credential associated with a user accountaccessible to the management service; obtain a network whitelistassociated with the user account, the network whitelist identifying anapplication and a respective network permission associated with theapplication, the respective network permission specifying at least onecondition under which the application is permitted to access a networkconnection; determine a current network status of the client device;determine that the application is allowed to access or disallowed fromaccessing the network connection based upon the current network status;and modify an operating system network permission associated with theapplication based upon the determination that the application is allowedto access or disallowed from accessing the network connection.
 17. Thenon-transitory computer-readable medium of claim 16, wherein theoperating system network permission comprises at least one of an AndroidInternet permission or an Android network state access permission. 18.The non-transitory computer-readable medium of claim 16, wherein therespective network permission specifies whether the application ispermitted to access the network connection when the client device isconnected to a particular WiFi network.
 19. The non-transitorycomputer-readable medium of claim 16, wherein the management componentis configured to block a request from the application to access thenetwork connection when the current network status is inconsistent withthe respective network permission specified by the network whitelist,wherein the request is blocked by modifying the operating system networkpermission.
 20. The non-transitory computer-readable medium of claim 16,wherein the management component is installed on the client device as adevice administrator.